On Friday 08 February 2008 08:11:58 Tony Earnshaw wrote: > Dan White skrev, on 07-02-2008 18:42: > > [...] > > > I understand that I could implement the password policy overlay to > > temporarily lockout an account once it's reached a certain number of bad > > password attempts, but I believe that only applies to simple (-x) binds. > > Is that correct? > > My site's running ppolicy on 2.3 on Linux for gdm logins with great > success; however, my understanding is, that it only cares about > pam/pam_exop calls (presumably also similar from dedicated client or > proxy software).
exop only affects how passwords are changed, not what the client sends on a simple bind request. > Looking at the relevant operational attributes in gq, > one can see that each failed login is recorded tn the pwdFailureTime > attribute. Doing a repeated ldapsearch -x on an account with an invalid > password doesn't make the blindest bit of difference to this attribute > and multiple failed attempts are allowed. Uh, when binding as the DN in question, or not (your ldapsearch -x is ambiguous)? In the testing I did a while back (where I used ldapwhoami), simple binds with and without the ppolicy control both resulted in lockout (but the one with the control would warn about impending expiry when testing expiry). In fact, I broke replication on one of the dev slaves that was using a simple bind in the syncrepl configuration. Regards, Buchan
